Improper Certificate Validation Affecting nextcloud-desktop package, versions <3.3.1-1
Threat Intelligence
EPSS
0.19% (58th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIANUNSTABLE-NEXTCLOUDDESKTOP-1305159
- published 15 Jun 2021
- disclosed 11 Jun 2021
Introduced: 11 Jun 2021
CVE-2021-22895 Open this link in a new tabHow to fix?
Upgrade Debian:unstable nextcloud-desktop to version 3.3.1-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream nextcloud-desktop package and not the nextcloud-desktop package as distributed by Debian.
See How to fix? for Debian:unstable relevant fixed versions and status.
Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the "Register with a Provider" flow.
References
- https://security-tracker.debian.org/tracker/CVE-2021-22895
- https://www.debian.org/security/2021/dsa-4974
- https://github.com/nextcloud/desktop/pull/2926
- https://github.com/nextcloud/desktop/releases/tag/v3.1.3
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qpgp-vf4p-wcw5
- https://hackerone.com/reports/903424
CVSS Scores
version 3.1